File: README.ssl

package info (click to toggle)
sbnc 1.2-26
  • links: PTS
  • area: main
  • in suites: wheezy
  • size: 6,216 kB
  • sloc: cpp: 17,556; ansic: 15,514; sh: 13,419; tcl: 5,567; php: 448; makefile: 284
file content (73 lines) | stat: -rw-r--r-- 3,127 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Secure Socket Layer (SSL)
-------------------------

Using the OpenSSL library shroudBNC supports encrypted client connections. Additionally client
certificates can be used for authenticating users.

Why?
----

IRC is often used over insecure/unencrypted connections. While the problem of monitoring networks
using packet sniffers might not be so obvious for (wired) LAN/WAN connections it becomes apparent
when considering wireless connections, e.g. on a campus, where every other WLAN user can tap into
your data transfers.

Compiling sBNC with support for SSL
-----------------------------------

The "configure" script detects whether you have the necessary openssl libraries/headers and
enables SSL support if possible.

How to set up sBNC for SSL
--------------------------

sBNC supports two kinds of listeners: unencrypted and encrypted ones. During startup two
configuration settings are read to determine whether the user wants unencrypted, encrypted
listeners or both:

system.port - sets the port for the unencrypted listener
system.sslport - sets the port for the ssl-enabled listener

If neither of those settings are used, sBNC falls back to creating an unencrypted listener on
port 9000.

You can remove the "system.port" setting from your configuration file if you just want an
encrypted listener.

These settings can be set in the bouncer's main configuration file: sbnc.conf

Once you've enabled SSL sBNC expects to find the following files in your bouncer's directory:

sbnc.crt - the public part of the server's key
sbnc.key - the private part of the server's key

The "openssl" utility can be used to create certificates. You can also use "make sslcert", which
will generate an SSL certificate for you and install it in the appropriate directory.

Client Certificates
-------------------

Clients like irssi or mIRC which support client certificates can use such certificates for
authentication.

When you want to set the public key you are going to use for your bouncer account you have
to log in using your client certificate AND your password (obviously because the bouncer
doesn't know your public key yet).

Once you're logged in you can use /sbnc savecert to tell sBNC that the client certificate you
are currently using is to be trusted for public key authentication.

Use /sbnc showcert to check that the certificate was saved correctly. You should now be able to
log in using this client certificate.

(You can also set your public key by putting a x509 certificate into your users/ directory. The
file's name should be <username>.crt, where <username> is your username. However this requires
a restart as sBNC only reads the certificate files during startup.)

SSL and "make update"
---------------------

Please keep in mind that you will not be able to use "make update" or /sbnc reload to update your
bouncer if you're using a server certificate which is protected with a passphrase. During the
reload phase of shroudBNC openssl would try to prompt the user for the certificate's passphrase
which effectively freezes/crashes shroudBNC. A solution for this problem might be implemented later.